DELDroid: Determination & Enforcement of Least Privilege Architecture in AnDroid

Transcription

1 DELDroid: Determination & Enforcement of Least Privilege Architecture in AnDroid Mahmoud Hammad Software Engineering Ph.D. Candidate Mahmoud Hammad, Hamid Bagheri, and Sam Malek IEEE International Conference on Software Architecture (ICSA 2017) Gothenburg, Sweden, April /22/2017

2 Android in the market Source: International Data Corporation (IDC) 2

3 Number of apps in Google Play store Source: Statista 3

4 Not as rosy as it may seem Android malware samples Source: NOKIA Threat Intelligence Report 4

5 Over- privileged resource access <<Android system>> FunGame Messaging LevelUp Sender Composer Main ListMsgs Legend Explicit Intent Implicit Intent SMS permission Location permission Private component Activity Service 5

6 Over- privileged Inter- Component Communication <<Android system>> FunGame Messaging LevelUp Sender Composer Main ListMsgs Legend Explicit Intent Implicit Intent SMS permission Location permission Private component Activity Service 6

7 Research problem Components are over- privileged and violate the Least Privilege (LP) principle 7

8 LP in Android documentation The Android system implements the principle of least privilege. That is, each app, by default, has access only to the components that it requires to do its work and no more. This creates a very secure environment in which an app cannot access parts of the system for which it is not given permission. Android security mechanisms treat apps as the minimum security entities 8

9 Security Consequences Hard to comprehend the security posture of an Android system Increases the attack surface Cause many security vulnerabilities Privilege escalation attack Hidden Inter- Component Communication (ICC) attack 9

10 Privilege Escalation Attack // If (checkcallingpermission ("android.permission.send_sms") == PackageManager.PERMISSION_GRANTED) FunGame Messaging i3 i1 LevelUp Sender Composer i2 Main ListMsgs Legend Explicit Intent Implicit Intent ix Intent SMS permission Location permission Activity Service 10

11 Hidden ICC Attack <<external>> FunGame Messaging i3 i1 LevelUp Sender Composer i2 Main ListMsgs Legend Explicit Intent Implicit Intent Dynamically Loaded Code ix Intent SMS permission Location permission Private component Activity Service 11

12 Outline Ø Approach q Experimental Results q Threats & Conclusion 12

13 DELDroid 2. Privilege Analyzer Original Architecture 3. Privilege Reducer Design time A,~~~ B,~~~ C,~~~ Architectural Elements 1. Architectural Elements Extractor LP Architecture 4. Security Analyzer ~~~~ ~~~~~ ~~~ ~~~~~ Analysis Result APKs 5. LP Enforcer Run time Android Apps Layer Privilege Manager Layer Resource Monitor ICC Monitor ECA Rules System Resources Legend DELDroid Step Repository DELDroid transaction Resource request ICC

14 DELDroid 2. Privilege Analyzer Original Architecture 3. Privilege Reducer Design time A,~~~ B,~~~ C,~~~ Architectural Elements 1. Architectural Elements Extractor LP Architecture 4. Security Analyzer ~~~~ ~~~~~ ~~~ ~~~~~ Analysis Result APKs 5. LP Enforcer Run time Android Apps Layer Privilege Manager Layer Resource Monitor ICC Monitor ECA Rules System Resources Legend DELDroid Step Repository DELDroid transaction Resource request ICC

15 DELDroid 2. Privilege Analyzer Original Architecture 3. Privilege Reducer Design time A,~~~ B,~~~ C,~~~ Architectural Elements 1. Architectural Elements Extractor LP Architecture 4. Security Analyzer ~~~~ ~~~~~ ~~~ ~~~~~ Analysis Result APKs 5. LP Enforcer Run time Android Apps Layer Privilege Manager Layer Resource Monitor ICC Monitor ECA Rules System Resources Legend DELDroid Step Repository DELDroid transaction Resource request ICC

16 DELDroid 2. Privilege Analyzer Original Architecture 3. Privilege Reducer Design time A,~~~ B,~~~ C,~~~ Architectural Elements 1. Architectural Elements Extractor LP Architecture 4. Security Analyzer ~~~~ ~~~~~ ~~~ ~~~~~ Analysis Result APKs 5. LP Enforcer Run time Android Apps Layer Privilege Manager Layer Resource Monitor ICC Monitor ECA Rules System Resources Legend DELDroid Step Repository DELDroid transaction Resource request ICC

17 DELDroid 2. Privilege Analyzer Original Architecture 3. Privilege Reducer Design time A,~~~ B,~~~ C,~~~ Architectural Elements 1. Architectural Elements Extractor LP Architecture 4. Security Analyzer ~~~~ ~~~~~ ~~~ ~~~~~ Analysis Result APKs 5. LP Enforcer Run time Android Apps Layer Privilege Manager Layer Resource Monitor ICC Monitor ECA Rules System Resources Legend DELDroid Step Repository DELDroid transaction Resource request ICC

18 DELDroid 2. Privilege Analyzer Original Architecture 3. Privilege Reducer Design time A,~~~ B,~~~ C,~~~ Architectural Elements 1. Architectural Elements Extractor LP Architecture 4. Security Analyzer ~~~~ ~~~~~ ~~~ ~~~~~ Analysis Result APKs 5. LP Enforcer Run time Android Apps Layer Privilege Manager Layer Resource Monitor ICC Monitor ECA Rules System Resources Legend DELDroid Step Repository DELDroid transaction Resource request ICC

19 DELDroid 2. Privilege Analyzer Original Architecture 3. Privilege Reducer Design time A,~~~ B,~~~ C,~~~ Architectural Elements 1. Architectural Elements Extractor LP Architecture 4. Security Analyzer ~~~~ ~~~~~ ~~~ ~~~~~ Analysis Result APKs 5. LP Enforcer Run time Android Apps Layer Privilege Manager Layer Resource Monitor ICC Monitor ECA Rules System Resources Legend DELDroid Step Repository DELDroid transaction Resource request ICC

20 DELDroid 2. Privilege Analyzer Original Architecture 3. Privilege Reducer Design time A,~~~ B,~~~ C,~~~ Architectural Elements 1. Architectural Elements Extractor LP Architecture 4. Security Analyzer ~~~~ ~~~~~ ~~~ ~~~~~ Analysis Result APKs 5. LP Enforcer Run time Android Apps Layer Privilege Manager Layer Resource Monitor ICC Monitor ECA Rules System Resources Legend DELDroid Step Repository DELDroid transaction Resource request ICC

21 Android apps Each Android app, APK file, includes configuration file called manifest file App s bytecode The manifest file specifies: principal components that constitute the app provided interface, i.e., Intent Filters required permissions enforced permissions Bytecode contains among other things: App s business logic Components communications Enforced permissions 21

22 Step 1: Architectural Elements Extractor ID App Component Intent Permissions Type Exported Intents Name Filter Granted Used Enforced 1 Messaging ListMsgs Activity Yes {SMS} 2 Messaging Composer Activity Yes {SMS} {i1} 3 Messaging Sender Service Yes SEND_SMS {SMS} {SMS} 4 FunGame LevelUp Service No {Location} 5 FunGame Main Activity Yes MAIN {Location} {i2} 22

23 DELDroid 2. Privilege Analyzer Original Architecture 3. Privilege Reducer Design time A,~~~ B,~~~ C,~~~ Architectural Elements 1. Architectural Elements Extractor LP Architecture 4. Security Analyzer ~~~~ ~~~~~ ~~~ ~~~~~ Analysis Result APKs 5. LP Enforcer Run time Android Apps Layer Privilege Manager Layer Resource Monitor ICC Monitor ECA Rules System Resources Legend DELDroid Step Repository DELDroid transaction Resource request ICC

24 Multiple Domain Matrix (MDM) MDM models a complex system with multiple domains Each domain is modeled as a Design Structure Matrix (DSM) DSM and MDM are very effective in capturing and analyzing the architecture of a complex system 24

25 Multiple Domain Matrix (MDM) Task 1 Task 2 Task 3 A system with three tasks Task 1 Task 2 Task 3 Task 1 1 Task 2 1 Task 3 1 Design Structure Matrix (DSM) Task 1 Task 2 Task 3 P1 P2 Task- to- person relationship Task 1 Task 2 Task 3 P1 P2 Task Task Task MDM captures the architecture 25

26 The Original architecture 26

27 DELDroid 2. Privilege Analyzer Original Architecture 3. Privilege Reducer Design time A,~~~ B,~~~ C,~~~ Architectural Elements 1. Architectural Elements Extractor LP Architecture 4. Security Analyzer ~~~~ ~~~~~ ~~~ ~~~~~ Analysis Result APKs 5. LP Enforcer Run time Android Apps Layer Privilege Manager Layer Resource Monitor ICC Monitor ECA Rules System Resources Legend DELDroid Step Repository DELDroid transaction Resource request ICC

28 The LP architecture 28

29 Original vs. LP architectures Original Architecture LP Architecture 29

30 DELDroid 2. Privilege Analyzer Original Architecture 3. Privilege Reducer Design time A,~~~ B,~~~ C,~~~ Architectural Elements 1. Architectural Elements Extractor LP Architecture 4. Security Analyzer ~~~~ ~~~~~ ~~~ ~~~~~ Analysis Result APKs 5. LP Enforcer Run time Android Apps Layer Privilege Manager Layer Resource Monitor ICC Monitor ECA Rules System Resources Legend DELDroid Step Repository DELDroid transaction Resource request ICC

31 Privilege escalation analysis Let us assume LevelUp does not use dynamic class loading 31

32 Privilege escalation analysis LP Architecture DELDroidmarks communicate LevelUp, Sender as a potential privilege escalation attack 32

33 DELDroid 2. Privilege Analyzer Original Architecture 3. Privilege Reducer Design time A,~~~ B,~~~ C,~~~ Architectural Elements 1. Architectural Elements Extractor LP Architecture 4. Security Analyzer ~~~~ ~~~~~ ~~~ ~~~~~ Analysis Result APKs 5. LP Enforcer Run time Android Apps Layer Privilege Manager Layer Resource Monitor ICC Monitor ECA Rules System Resources Legend DELDroid Step Repository DELDroid transaction Resource request ICC

34 Communication ECA rule example Event: i ICC occurs Condition: i. senderpkg = FunGame i. sendercomp = LevelUp i. receiverpkg = Messaging Action: prevent 34

35 Resource access ECA rule example Event: resourceaccessrequest Condition: requester = LevelUp service =Context.LOCATION_SERVICE Action: prevent 35

36 DELDroid 2. Privilege Analyzer Original Architecture 3. Privilege Reducer Design time A,~~~ B,~~~ C,~~~ Architectural Elements 1. Architectural Elements Extractor LP Architecture 4. Security Analyzer ~~~~ ~~~~~ ~~~ ~~~~~ Analysis Result APKs 5. LP Enforcer Run time Android Apps Layer Privilege Manager Layer Resource Monitor ICC Monitor ECA Rules System Resources Legend DELDroid Step Repository DELDroid transaction Resource request ICC

37 Outline q Approach Ø Experimental Results q Threats & Conclusion 37

38 Implementation details DELDRoid is a Java application input : set of apps output: LP architecture and ECA rules The enforcement mechanism implemented in the AOSP version 6 (Marshmallow) Privilege Manager introduced a new package in the Android runtime This package does not affect the existing apps Other components are modified such as ActivityManager and ContextWrapper Installed on Android emulator and Nexus 5X phone 38

39 Evaluation RQ1: How effective is DELDroid in reducing the attack surface? RQ2: How effective is DELDroid in detecting and preventing attacks in real- world apps? RQ3: What is the performance of DELDroid? 39

40 Evaluation setup Dataset Apps Distribution Dataset Apps Benign 370 Vulnerable 335 Malicious 225 Malicious 24% Vulnerable 36% Benign 40% Malicious Dataset Malgenome Brain Test AndroTotal Contagio 40

41 RQ1: Attack surface reduction Bundle Apps Components Intent Intent Explicit Implicit Filter Bundle Bundle Bundle Bundle Bundle Bundle Bundle Bundle Bundle Bundle Average Avg. (per app)

42 RQ1: Attack surface reduction communication Bundle Components Intent Intent Communication Domain Explicit Implicit Filter Original LP Reduction (%) Bundle , Bundle , Bundle , Bundle , Bundle , Bundle , Bundle , Bundle , Bundle , Bundle , Average , Avg. (per app) ,

43 RQ1: Attack surface reduction - permission Bundle Components Intent Intent Permission Granted Domain Explicit Implicit Filter Original LP Reduction (%) Bundle , Bundle , Bundle , Bundle , Bundle , Bundle , Bundle , Bundle , Bundle , Bundle , Average , Avg. (per app)

44 RQ1: Attack surface reduction potential attacks Bundle Components Intent Intent Priv. Esca. Security Analysis Explicit Implicit Filter Original LP Bundle ,944 0 Bundle , Bundle ,721 2 Bundle ,551 0 Bundle ,914 2 Bundle ,745 2 Bundle ,503 1 Bundle , Bundle ,428 8 Bundle ,953 3 Average , Avg. (per app)

45 RQ2: Attacks detection and prevention 54 malicious and vulnerable apps The steps and inputs required to create the attacks are known The dataset contains 18 privilege escalation attacks 24 hidden ICC attacks through dynamic class loading Detection: DELDroid analyzes the derived LP architecture Prevention: manually exercise the apps to create the attacks 45

46 RQ2: Privilege escalation detection results FN Malicious behavior not detected (0) 18 privilege escalation TP Malicious behavior detected (18) FP Benign behavior detected (1) Precision ( ) = 94.74% Recall ( ) = 100% 46

47 RQ2: Attacks prevention FN Malicious behavior allowed (0) 18 privilege escalation 24 hidden ICC attacks 42 attacks TP Malicious behavior prevented (42) FP Benign behavior prevented (1) Precision ( ) = 97.76% Recall ( ) = 100% 47

48 RQ3: Performance design time Execution time of running DELDroid on the 10 bundles, repeated 33 times Recovery (min) LP Determination (sec) Analysis (sec) ECA Rules (sec) Average per bundle 69.5 ± ± ± ±

49 RQ3: Performance run time A script that sends 363 requests to an Android system Each request causes the system to perform an ICC transaction On average, DELDroid takes 25 ± 10 milliseconds to check an intercepted ICC 49

50 Outline q Approach q Experimental Results Ø Threats & Conclusion 50

51 Threats to validity Not all hidden ICC communications are malicious Previous study proposed a technique that check the integrity of the loaded code [1] Static analysis tools cannot effectively analyze obfuscated apps integrating dynamic analysis techniques [1] S. Poeplau et al. Execute this! analyzing unsafe and maliciousdynamic code loading in android applications. In NDSS, SanDiego, California, February

52 Conclusion DELDroid is an automated approach for determining and enforcing the LP architecture for an Android system The LP architecture narrows the attack surface and thwarts certain security attacks Experimental results show between 97% to 99% attack surface reduction detecting and preventing security attacks (97% precision and 100% recall) negligible runtime performance overhead 52

53